For years, cybersecurity professionals have tracked the evolution of social engineering attacks that prey on human trust and technical naivety. Now, a sophisticated new variant of the ClickFix campaign has emerged that takes deception to an alarming new level — tricking users into manually altering their own DNS settings, effectively handing attackers the keys to redirect all internet traffic and install malware with minimal detection. The technique represents a significant escalation in adversary tradecraft and poses a serious threat to both individual users and enterprise networks.
The ClickFix attack methodology, which first gained notoriety in 2024, has historically relied on fake error messages and fraudulent CAPTCHA prompts to manipulate users into copying and executing malicious PowerShell commands. But as reported by Cybersecurity News, the latest iteration introduces a custom DNS hijacking mechanism that fundamentally changes the attack’s scope and persistence. Rather than simply executing a one-time payload, the new approach redirects the victim’s DNS queries to attacker-controlled servers, enabling sustained man-in-the-middle capabilities and ongoing malware delivery.
From Fake CAPTCHAs to Full DNS Takeover
The original ClickFix campaigns were deceptively simple. Victims would land on a compromised or malicious website that displayed a fake browser error, a phony CAPTCHA verification, or a fabricated system alert. The page would instruct users to press specific key combinations — typically Windows + R to open the Run dialog, followed by Ctrl + V to paste a pre-loaded malicious command, and then Enter to execute it. The clipboard had been silently loaded with a PowerShell or command-line script that would download and execute malware. The genius of the approach was that it bypassed many automated security tools because the user themselves initiated the malicious action.
The new DNS hijacking variant, however, goes considerably further. According to the detailed analysis published by Cybersecurity News, attackers are now presenting victims with step-by-step instructions that guide them through manually changing their Windows DNS server settings. The instructions are disguised as troubleshooting steps to resolve a fabricated connectivity issue or to access supposedly restricted content. Once the victim changes their DNS settings to point to an attacker-controlled DNS server, every domain name resolution on that machine is effectively compromised.
How the DNS Hijacking Mechanism Works
DNS — the Domain Name System — functions as the internet’s phone book, translating human-readable domain names like google.com into numerical IP addresses that computers use to route traffic. When an attacker controls a victim’s DNS resolver, they gain extraordinary power. They can redirect requests for legitimate banking websites to pixel-perfect phishing pages, serve malicious software updates that appear to come from trusted vendors, or intercept authentication tokens and credentials in transit.
In this new ClickFix variant, the attack chain typically begins with a lure — often a phishing email, a malicious advertisement, or a compromised legitimate website. The victim is presented with what appears to be a technical support page or a content access portal. The page displays detailed, visually polished instructions telling the user to open their network adapter settings, navigate to the DNS configuration panel, and manually enter specific DNS server IP addresses controlled by the threat actors. The instructions are crafted with professional-looking screenshots and step-by-step guidance, making them appear authoritative and trustworthy.
Persistence Without Traditional Malware Signatures
What makes this technique particularly insidious is its stealth. Traditional malware installations leave artifacts — executable files, registry modifications, scheduled tasks — that endpoint detection and response (EDR) tools are designed to identify. DNS setting changes, by contrast, are legitimate system configuration modifications. They don’t trigger most antivirus alerts, they don’t require elevated privileges in all configurations, and they persist across reboots. The attacker gains a persistent foothold without ever dropping a traditional malware binary on the victim’s machine in the initial stage.
Once DNS traffic is redirected, the attacker-controlled server can selectively respond to queries. For most domains, it may return legitimate IP addresses, ensuring the victim’s internet experience appears normal. But for targeted domains — banking portals, email providers, software update servers, corporate VPN endpoints — it can return IP addresses pointing to attacker infrastructure. This selective redirection makes the compromise extraordinarily difficult to detect through casual observation. The victim’s internet appears to work normally, while critical traffic is being silently intercepted or manipulated.
The Broader ClickFix Ecosystem and Threat Actor Adoption
The ClickFix social engineering framework has seen rapid adoption across the cybercriminal ecosystem since its emergence. Multiple threat actor groups, including both financially motivated cybercriminals and state-sponsored advanced persistent threat (APT) groups, have incorporated ClickFix techniques into their operations. Security researchers have documented campaigns deploying infostealers like Lumma Stealer and DarkGate, remote access trojans, and even ransomware precursors through ClickFix-style lures.
The technique’s appeal to attackers is multifaceted. By convincing users to execute commands themselves, the attack bypasses email security gateways, web filters, and even many EDR solutions that focus on automated or script-based execution chains. The human element becomes the attack vector, and no amount of technical perimeter defense can fully compensate for a user who willingly follows malicious instructions. The addition of DNS hijacking to this toolkit represents a natural but dangerous evolution — it extends the attacker’s control from a single malicious command execution to ongoing, persistent network-level compromise.
Enterprise Implications and the Challenge of User-Initiated Attacks
For enterprise security teams, the DNS hijacking variant of ClickFix presents a particularly vexing challenge. In many corporate environments, users may have sufficient local permissions to modify their network adapter settings, especially on laptops used in hybrid or remote work scenarios. Group Policy restrictions can lock down DNS settings on domain-joined machines, but enforcement varies widely, and bring-your-own-device (BYOD) policies further complicate the picture.
Network security monitoring tools that track DNS query patterns may detect anomalies — such as a workstation suddenly using a non-approved DNS resolver — but only if such monitoring is actively configured and alerting thresholds are properly tuned. Many organizations focus their DNS monitoring on detecting malicious domain lookups rather than monitoring which DNS servers endpoints are querying. This gap in visibility is precisely what the ClickFix DNS hijacking technique exploits.
Defensive Strategies and Mitigation Approaches
Security experts recommend a multi-layered approach to defending against this threat. At the technical level, organizations should enforce DNS server settings through Group Policy Objects (GPOs) and mobile device management (MDM) solutions, preventing users from modifying DNS configurations without administrator approval. Network access control systems can be configured to quarantine endpoints that are not using approved DNS resolvers. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) configurations pointing to trusted resolvers can add an additional layer of protection.
At the human level, security awareness training must evolve to address the specific social engineering tactics used in ClickFix campaigns. Users need to understand that no legitimate website or service will ever ask them to change their DNS settings, execute PowerShell commands, or paste content into a Run dialog. Simulated phishing exercises should incorporate ClickFix-style lures to test and reinforce this awareness. As Cybersecurity News emphasized in its reporting, the sophistication of the visual presentation in these attacks — complete with branded logos, professional formatting, and convincing technical language — makes them particularly effective against users who consider themselves moderately technical.
A Signal of Escalating Social Engineering Sophistication
The emergence of DNS hijacking within the ClickFix framework is more than just another incremental threat development — it signals a broader shift in how attackers think about persistence and control. Rather than relying solely on dropping malware that security tools might eventually detect and remediate, threat actors are increasingly targeting system configurations that provide ongoing access with minimal forensic footprint. DNS manipulation, proxy setting changes, and certificate store modifications all fall into this category of “living off the configuration” techniques that complement the well-documented “living off the land” approach.
For the cybersecurity industry and the organizations it serves, this evolution demands a corresponding shift in defensive thinking. Detection strategies must expand beyond file-based and behavior-based malware analysis to encompass configuration integrity monitoring. Incident response playbooks should include DNS setting verification as a standard step. And perhaps most critically, the industry must reckon with the fundamental challenge that ClickFix exploits: when the user is the execution engine, traditional technical controls will always have a blind spot that only education and awareness can fill.